Beyond Linux® From Scratch - Version 7.5

Chapter 4. Security

Setting Up a Network
Firewall

Before you read this part of the chapter, you should have already
installed iptables as described in the previous section.

Introduction to Firewall
Creation

The general purpose of a firewall is to protect a computer or a
network against malicious access.

In a perfect world, every daemon or service on every machine is
perfectly configured and immune to flaws such as buffer overflows
or other problems regarding its security. Furthermore, you trust
every user accessing your services. In this world, you do not need
to have a firewall.

In the real world however, daemons may be misconfigured and
exploits against essential services are freely available. You may
wish to choose which services are accessible by certain machines or
you may wish to limit which machines or applications are allowed
external access. Alternatively, you may simply not trust some of
your applications or users. You are probably connected to the
Internet. In this world, a firewall is essential.

Don't assume however, that having a firewall makes careful
configuration redundant, or that it makes any negligent
misconfiguration harmless. It doesn't prevent anyone from
exploiting a service you intentionally offer but haven't recently
updated or patched after an exploit went public. Despite having a
firewall, you need to keep applications and daemons on your system
properly configured and up to date. A firewall is not a cure all,
but should be an essential part of your overall security strategy.

Meaning of the Word "Firewall"

The word firewall can have several different meanings.

This is a hardware device or software program commercially sold
(or offered via freeware) by companies such as Symantec which
claims that it secures a home or desktop computer connected to
the Internet. This type of firewall is highly relevant for users
who do not know how their computers might be accessed via the
Internet or how to disable that access, especially if they are
always online and connected via broadband links.

This is a system placed between the Internet and an intranet. To
minimize the risk of compromising the firewall itself, it should
generally have only one role—that of protecting the
intranet. Although not completely risk free, the tasks of doing
the routing and IP masquerading (rewriting IP headers of the
packets it routes from clients with private IP addresses onto the
Internet so that they seem to come from the firewall itself) are
commonly considered relatively secure.

This is often an old computer you may have retired and nearly
forgotten, performing masquerading or routing functions, but
offering non-firewall services such as a web-cache or mail. This
may be used for home networks, but is not to be considered as
secure as a firewall only machine because the combination of
server and router/firewall on one machine raises the complexity
of the setup.

Firewall with a Demilitarized Zone [Not Further Described Here]

This box performs masquerading or routing, but grants public
access to some branch of your network which, because of public
IPs and a physically separated structure, is essentially a
separate network with direct Internet access. The servers on this
network are those which must be easily accessible from both the
Internet and intranet. The firewall protects both networks. This
type of firewall has a minimum of three network interfaces.

Packetfilter

This type of firewall does routing or masquerading, but does not
maintain a state table of ongoing communication streams. It is
fast, but quite limited in its ability to block undesired packets
without blocking desired packets.

Now You Can Start to Build
your Firewall

Caution

This introduction on how to setup a firewall is not a complete
guide to securing systems. Firewalling is a complex issue that
requires careful configuration. The scripts quoted here are
simply intended to give examples of how a firewall works. They
are not intended to fit into any particular configuration and may
not provide complete protection from an attack.

Customization of these scripts for your specific situation will
be necessary for an optimal configuration, but you should make a
serious study of the iptables documentation and creating
firewalls in general before hacking away. Have a look at the list
of links for
further reading at the end of this section for more details.
There you will find a list of URLs that contain quite
comprehensive information about building your own firewall.

The firewall configuration script installed in the iptables section
differs from the standard configuration script. It only has two of
the standard targets: start and status. The other targets are clear
and lock. For instance if you issue:

/etc/rc.d/init.d/iptables start

the firewall will be restarted just as it is upon system startup.
The status target will present a list of all currently implemented
rules. The clear target turns off all firewall rules and the lock
target will block all packets in and out of the computer with the
exception of the loopback interface.

The main startup firewall is located in the file /etc/rc.d/rc.iptables. The sections below provide
three different approaches that can be used for a system.

Note

You should always run your firewall rules from a script. This
ensures consistency and a record of what was done. It also allows
retention of comments that are essential for understanding the
rules long after they were written.

Personal Firewall

A Personal Firewall is designed to let you access all the
services offered on the Internet, but keep your box secure and
your data private.

This script is quite simple, it drops all traffic coming into
your computer that wasn't initiated from your computer, but as
long as you are simply surfing the Internet you are unlikely to
exceed its limits.

Even if you have daemons or services running on your system,
these will be inaccessible everywhere but from your computer
itself. If you want to allow access to services on your machine,
such as ssh or
ping, take a look
at BusyBox.

Masquerading
Router

A true Firewall has two interfaces, one connected to an intranet,
in this example eth0, and one connected to the
Internet, here ppp0.
To provide the maximum security for the firewall itself, make
sure that there are no unnecessary servers running on it such as
X11 et al. As a general
principle, the firewall itself should not access any untrusted
service (think of a remote server giving answers that makes a
daemon on your system crash, or even worse, that implements a
worm via a buffer-overflow).

With this script your intranet should be reasonably secure
against external attacks. No one should be able to setup a new
connection to any internal service and, if it's masqueraded,
makes your intranet invisible to the Internet. Furthermore, your
firewall should be relatively safe because there are no services
running that a cracker could attack.

Note

If the interface you're connecting to the Internet doesn't
connect via PPP, you will need to change <ppp+> to the name of the
interface (e.g., eth1) which you are using.

BusyBox

This scenario isn't too different from the Masquerading Router, but additionally
offers some services to your intranet. Examples of this can be
when you want to administer your firewall from another host on
your intranet or use it as a proxy or a name server.

Note

Outlining a true concept of how to protect a server that offers
services on the Internet goes far beyond the scope of this
document. See the references at the end of this section for
more information.

Be cautious. Every service you have enabled makes your setup more
complex and your firewall less secure. You are exposed to the
risks of misconfigured services or running a service with an
exploitable bug. A firewall should generally not run any extra
services. See the introduction to the Masquerading Router for some more
details.

If you want to add services such as internal Samba or name
servers that do not need to access the Internet themselves, the
additional statements are quite simple and should still be
acceptable from a security standpoint. Just add the following
lines into the script before the logging rules.

However, it is generally not advisable to leave OUTPUT
unrestricted. You lose any control over trojans who would like to
"call home", and a bit of redundancy in case you've
(mis-)configured a service so that it broadcasts its existence to
the world.

To accomplish this, you should restrict INPUT and OUTPUT on all
ports except those that it's absolutely necessary to have open.
Which ports you have to open depends on your needs: mostly you
will find them by looking for failed accesses in your log files.

If you are frequently
accessing FTP servers or enjoy chatting, you might notice
certain delays because some implementations of these
daemons have the feature of querying an identd on your
system to obtain usernames. Although there's really little
harm in this, having an identd running is not recommended
because many security experts feel the service gives out
too much additional information.

To avoid these delays you could reject the requests with a
'tcp-reset':

There are other addresses that you may also want to drop:
0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast and
experimental), 169.254.0.0/16 (Link Local Networks), and
192.0.2.0/24 (IANA defined test network).

To simplify debugging and be fair to anyone who'd like to
access a service you have disabled, purposely or by
mistake, you could REJECT those packets that are dropped.

Obviously this must be done directly after logging as the
very last lines before the packets are dropped by policy:

iptables -A INPUT -j REJECT

These are only examples to show you some of the capabilities of
the firewall code in Linux. Have a look at the man page of
iptables. There you will find much more information. The port
numbers needed for this can be found in /etc/services, in case you didn't find them by
trial and error in your log file.

Conclusion

Finally, there is one fact you must not forget: The effort spent
attacking a system corresponds to the value the cracker expects to
gain from it. If you are responsible for valuable information, you
need to spend the time to protect it properly.